By Nick Patience
The up-and-down nature of the negotiations between the US and European Union over personal data protection and privacy has taken a slight shift towards the positive with the news that representatives from some US trade associations may have secured an agreement with the German government on international data transfer. The Direct Marketing Association (DMA), in concert with organizations such as the International Chamber of Commerce (ICC) and officials from the Organization for Economic Cooperation and Development (OECD) are hopeful that a model contract will shortly be agreed upon for US companies to move data out of the EU without violating the EU data protection directive.
That directive came into force last October and contracts are seen as one of the main solutions for large companies that have to move data out of the EU to countries that don’t have the same level of data protection legislation, which includes the US. Large firms could negotiate individual contracts with the various governments of the EU, which would be part of a compromise between the two continents that is likely to include self- regulation and perhaps some US legislation.
The optimism arises from a recent set of meetings between the DMA, ICC and others with the various data protection commissioners in Germany. Germany has a separate commissioner in each state and no overall supervisor, although they do coordinate closely on matters of international data transfer. Bob Wientzen, the chief executive of the DMA says the sides have come to a tentative agreement.
Scott Blackmer, a Washington DC lawyer who represents the ICC on these matters, was in the meetings and drafted one of the principal model contracts under discussion. He says that progress has undoubtedly been made in Germany, but says that a simpler contract may be possible if the discussions over the US safe harbor provisions yield fruit. Those discussions are due to resume at a high level on May 28, as we reported yesterday.
Wientzen feels that as Germany has some of the most stringent data protection laws in place, if the model is acceptable to the German government, then it is likely to comply with other EU countries that have already passed their data protection legislation. The current tally is seven out of the 15 EU members states. He says the minor breakthrough – as that’s all it can be described as so far – represents a realization on the part of Germany that regulation can mean self-regulation.
